6. Example 1 - ANY System Privileges
• Oracle has over 100 system privileges
• Nearly every ANY system privilege can be used by an attacker
to assume DBA privileges:
EXECUTE ANY PROCEDURE
There are many procedures within the SYS schema that run with definer rights – so if I can run
them I can assign myself privileges
exec sys.dbms_repact_sql_util.do_sql(‘grant dba to ronb’, true);
exec sys.dbms_streams_rpc.execute_stmt(‘grant dba to ronb’);
exec sys.ltadm.executesql(‘grant dba to ronb’);
CREATE ANY VIEW
I’ll create a procedure that gives me DBA privileges running with invoker rights
I’ll create a view in the SYSTEM schema that will run the procedure
I’ll convince a DBA to access the view
CREATE ANY TRIGGER
I’ll create a procedure that grants me DBA, running with invoker rights
Pick a user with DBA privileges
Pick a table within that user schema for which PUBLIC has some privileges (e.g. SELECT)
I’ll define a trigger on the privilege that PUBLIC has (e.g. SELECT) that calls the procedure
I’ll access the object (since I’m using a PUBLIC privilege)
I now have DBA privileges! (the trigger runs as the schema owner)
6
7. Example 2 – UTL_FILE
file_name := utl_file.fopen(<dir>,<file name>, ‘w’);
utl_file.put_line(file_name, ‘abcdefgh’, true);
utl_file.fclose(file_name);
The ability to write files to the OS is a very dangerous thing
Runs with the database instance owner privileges
Can be used to delete audit files
Can be used to delete or corrupt a data file – including the SYSTEM tablespace
Can use it to change config files
Can use it to write a .rhosts file to allow access to the OS
Can use it to write to .cshrc or .login for the oracle OS account
Can use it to write a login.sql or glogin.sql file to cause a SQL command to be
called with privileges of a DBA
7
9. Complexity
“Though some movie plots would have us believe otherwise, cyber attacks in the real world rarely involve
Mission Impossible-like scenarios. Quite the opposite, in fact.”
9
10. Example 3 - Passwords
• Spida –
– Microsoft SQL Server
– Empty sa password
– Xp_cmdshell
– Propagation
– Made it to 4th place in SANS “Top Ten”
• APPS/APPS
weblogic.jdbc.connectionPool.eng= <ias-resources> Provider=SQLOLEDB;
url=jdbc:weblogic:oracle, <jdbc> Data Source=192.168.1.32;
driver=weblogic.jdbc.oci.Driver, <database>ORCL</database> Initial Catalog=Northwind;
loginDelaySecs=2, <datasource>ORCL</datasource> User ID=sa;
initialCapacity=50, <username>scott</username> Password=sapwd;
capacityIncrement=10, <password>tiger</password>
maxCapacity=100, <driver-type>ORACLE_OCI</driver-type>
props=user=scott,password=tiger,server=ORCL </jdbc>
</ias-resources>
10
16. More Oracle Performance tests
• Sun E6500
• 28 CPUs, 28 GB
• 100 concurrent connections
– Each doing inserts (real application table, with indexes etc.)
– 100 ms delay between each insert
16
19. Database Activity Monitoring - DAM
• Other reasons to look beyond native Auditing
– Heterogeneous support
– Easier to deploy and manage
– IPC interception to avoid impact to the database
– Functionality/Maturity
• Security and Auditing
– Assessments
– Policies
– Change management
– Audit (as opposed to auditing)
• Automation
• Compliance packages
– Independence of the audit trail
– Separation of duties
– Allows security functions such as prevention and redaction
19
20. Protecting
Violations &
Incidents
Security Monitoring & Data Protection
Remidiation
Monitoring & Data Access Data Extrusion Privileged
Scope
Anomaly Protecttion Protection User Access
&
Detection Control
Technical
Requirements
Access
Compliance
20
22. Scalable Multi-Tier Architecture
IBM System z
Data Center 2
Development, Tes Collector
t & Training
Host-Based Probe Central Policy
(S-TAP) Manager & Audit
Optim Repository
Collector
Data-Level Access Control
(S-GATE)
Data Center 1 Integration with
LDAP/AD, IAM, Change
Management,
SIEM, Archiving, etc.
22
22